Search

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

February 28, 2018

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about control frameworks and standards by our clients. Such topics often center on which of these frameworks and standards are most appropriate for a particular organization, which specific controls are most important, and in what order and to what depth an organization should pursue maturity with a particular set of controls. In this two-part blog series, I’d like to share some field observations on this topic gathered by Optiv’s strategy, risk and compliance teams.

Excellence Requires Discipline, and Frameworks are Useful Here

When your security team constantly puts out fires and incidents seem to be never-ending, it is a sure sign of an ad-hoc security program that responds to issues rather than attacking root cause. Without fail, clients in this position have no effective method in place (perhaps outside of personal heroics) of tracking the state of the program and which controls are in place. Instead, organizations should focus on putting the right program elements in place to begin proactively managing the security posture of the business.

Keeping track of the security program is essential for an organization to escape the daily fire-fighting method of security management. Control frameworks are an essential and effective way to accomplish this. One interesting paradigm here is the improvement in security programs that we’ve seen occur when clients begin to face more arduous compliance requirements due to growth. A great example is the improvement in information security posture when an organization moves from a PCI level 2 merchant to a PCI level 1 merchant. On the surface it would seem that the existence of an external QSA holding the organization accountable would be the cause of this improvement, but perhaps a more subtle paradigm is in play: The organization now has a list of controls and a checklist to follow in managing their program. We’ve seen many programs run by leveraging PCI as the control framework of choice, even though it’s not even a control framework, rather an industry standard.

Having something to measure against is key to making decisions on what to do next with an information security program. There are many great control frameworks available for this purpose such as ISO 27001/27002, NIST SP800, NIST CSF, CIS Top20, COBIT, ITIL, PCI-DSS, and the list goes on and on. Each of these frameworks is well designed, expertly constructed and thoughtfully organized.

“A Check in Every Box”

The downside to the above-mentioned frameworks is that we in the information security industry have adopted the notion over the decades that we have to “put a check in every box.” This is where it all goes sideways for us. Organizations simply do not have the money, information security or IT resources to put a check in every box. The business stakeholders and end users don’t have tolerance for the restrictive security that checking every box entails.

Take ISO 27002, for instance. This framework contains 114 controls very well organized into 14 chapters. NIST 800-35 can have up to 170 controls. These controls taken individually all appear to be reasonable and practical, but taken in totality they represent a challenge to implement at a moderate degree of maturity, let alone a high degree of well monitored and continuously improving maturity.

The truth of our industry is that 100 percent maturity in 100 percent of the controls in any of these frameworks is not only impossible, it’s impractical and unnecessary. We’ve spent years in our industry trying to pursue such an objective, and we have little to show for it if metrics such as breach frequency, breach cost and threat emergence are any indication. As an example, look at healthcare. HIPAA was passed in 1996, HITECH in 2009. Did healthcare breaches decrease in frequency or cost? Quite the contrary. Why is this the case especially given the specificity with which some of these control frameworks provide guidance on what to do to protect information and what can we do to leverage the frameworks most effectively?

Business-Aligned Security

On the other end of the spectrum from the “fire-of-the-day” security program are those programs connected to the operation of the business in a meaningful and effective way. We generally run into these types of security programs as a result of regular strategy tune-ups and recurring risk assessments. These are programs which have a plan, adjust the plan regularly, and have a genuine pulse for where they have maturity and where they don’t. What’s striking about such programs is that where we find areas of immaturity, it’s usually intentional. This is a departure from the concept of “a check in every box,” and it requires a level of acumen in business and technology in order to succeed. We call these “business-aligned programs,” and they are rare and fantastically effective when done properly. They also have figured out how to effectively leverage control frameworks to facilitate this alignment.

In summary, frameworks and standards are necessary as long as the ultimate goal is business alignment and not putting checks in boxes for the sake of it. In the second part of this blog series I will discuss the “how” of driving toward a business-aligned security program where frameworks fit into this process.

VP, Product Management

J.R. Cunningham is an accomplished innovator and premier thinker in cyber security and risk management. As vice president of product management, Cunningham is responsible for maintaining Optiv’s industry leading advisory services offerings and developing innovative and practical solutions that solve real-world security challenges.

Footer menu

Secondary footer menu

Copyright

Copyright @ 2019. Optiv Security Inc. All Rights Reserved

Disclaimer

The content provided is for informational purposes only. Links to third party sites are provided for your convenience and do not constitute an endorsement. These sites may not have the same privacy, security or accessibility standards.

This site uses cookies to store information on your computer. Some are essential to make our site work;
others help us improve the user experience. By using this site, you consent to the placement of these cookies.
Read our Privacy Policy
to learn more. Agree

Privacy Policy

Privacy at Optiv Security Inc.

Optiv Security Inc. and its affiliates (“Optiv”) respects your privacy and is committed to protecting the privacy of our visitors and clients. We uphold the highest industry standards in privacy and permission marketing. This privacy policy explains what personal data Optiv collects from you, through our interaction with you on our website and through provision of services and product resale transactions, and how we use that data.

Security and Privacy

Optiv's websites use reasonable commercial methods and security measures to protect against the loss, misuse, and alteration of the data under our control. We store the data collected in a database in a secure environment protected from unauthorized access, use, or disclosure. When personal data is transmitted, it is protected with encryption, such as the Secure Socket Layer (SSL) protocol.

Data Collected

Optiv collects data to operate effectively and to provide you the best experiences with our site, our services, and our product resale transactions. When you visit Optiv websites, our system uses cookies to collect statistical data about your visit to our sites (e.g., IP address, pages visited, origin of visitor domains, types of browsers used, and demographic information). This data provides Optiv with general statistics regarding our sites, giving insight into how effective certain areas of our sites are to users and how we might improve user experience. Optiv collects personal data you provide when you send us e-mails, when you register for any of our events or classes, in the operation of services, and through product resale transactions. Please keep in mind that if you directly disclose personal data, personally identifiable information, or personally sensitive data through Optiv public message boards, this information may be collected and used by others. Note: Optiv does not read any of your private online communications.

How Optiv Uses Personal Data

Optiv enforces a strict internal policy regarding data protection requirements. Personal data submitted to Optiv is used by employees managing this information for specific purposes only. These purposes include contacting you (via email, phone, etc.) in an effort to respond to a request or to provide a service or product, and to notify you of Optiv events and other Optiv-related activities such as training. Optiv may also contact you with surveys in order to conduct research about your opinion of current services or of potential new services that may be offered.

Reasons Optiv Shares Personal Data

Optiv shares your personal data with your consent or as necessary to complete any transaction you have requested or authorized. Optiv also shares data with Optiv-controlled affiliates and subsidiaries; with vendors working on your behalf; when required by law to respond to legal process; to protect our customers; to maintain the security of our services; and to protect the rights or property of Optiv.

How to Control Your Personal Data and Opt-Out

You can always choose whether you wish to receive promotional email, SMS messages, telephone calls and postal mail from Optiv. You can opt-out from receiving interest-based advertising from Optiv by emailing info@optiv.com. You can also opt-out from email communications by clicking on the opt-out (unsubscribe) link in any message you receive from us. This will allow you to unsubscribe or update your message preferences.

Refer a Friend/Forward-to-a-Friend Functionality

If you feel that information about Optiv could be useful to a third party you know (e.g., your co-workers, other professionals, etc.), you may use our forward-to-a-friend functionality. If you choose to use our referral service to tell someone about Optiv, we will ask you for their e-mail address. We will send them a one-time email inviting them to visit the site. Optiv stores this information for the sole purpose of sending this one-time email and tracking the success of our referral program.

Blog Sites

If you leave a comment on an Optiv blog, you should be aware that any personal data or personally identifiable information you submit on our blog site can be read, collected, or otherwise used by anyone who reads the blog or who visits the URL of the blog post you comment on. We are not responsible for use of this information by non-Optiv personnel.

Your name and e-mail are required for verification and protection against spam. The name you leave will be published and is used as an identifier of the comment. The email provided is not published. All blog content including posts, articles, and comments, are reviewed before being published.

Testimonials

We post customer testimonials on our website. These testimonials may contain personal data, such as the customer's name. We obtain your consent prior to posting the testimonial, so that we can post your name along with the testimonial.

Cookies and Similar Technologies

Client-side cookies (small text files placed on your device) are used to verify the login status of customers using products or services linked directly with our website. One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize pages, or register on site, a cookie helps Optiv to recall your specific information on subsequent visits. The information you previously provided can be retrieved, so you can easily use the features that you customized. You have a variety of tools to control cookies and similar technologies including browser controls to block and delete cookies, and controls from some third-party analytics service providers, to opt out of data collection through web beacons and similar technologies. If a user rejects the cookie, they may still use our sites; however, the user may not be able to access all areas of our sites.

Third Party Websites

Please be aware that other websites that may be accessed through our site may collect your personal data. Optiv does not share your personal data with those websites and is not responsible for their privacy practices. Please check the applicable Privacy Policy of those sites.

Children's Privacy

These websites are not intended for people under the age of 13. Optiv does not knowingly solicit or collect information from children or minors (under the age of 18). Optiv complies with The Children’s Online Privacy Protection Act (US), The Personal Information Protection and Electronic Documents Act (Canada), and such other laws.

Policy Consent

By using our websites, you agree to this Privacy Policy. This policy appears in its completed form and supersedes any earlier version.

Notification of Changes

This Privacy Policy is subject to change without notice. Any changes to this policy will be posted on our site at least one week prior to their taking effect. If at any point, we decide to use personal data or personally identifiable information in a manner different from that stated at the time it was collected, we will notify users via email of the changes to our policy. Users will have a choice as to whether or not we use their information in this different manner. We reserve the right to modify this privacy policy at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of a notice on our website.

Privacy Policy Effective Date: May 10, 2018

Optiv welcomes your comments regarding this statement of privacy. If you believe that Optiv has not adhered to this statement, please contact us at: legal@optiv.com. We will use reasonable efforts to promptly determine and remedy the problem.